On Wed, Jan 25, 2017 at 08:23:07AM -0700, Thomas Fjellstrom wrote:
> Hi.
> 
> I'm having a minor problem setting up shorewall to properly route and allow 
> openvpn traffic through my firewall. 
> 
> I'd like the openvpn client to be running on the firewall, and allow local 
> machines to connect to and communicate with the private subnet on the other 
> side of the vpn, but not allow new traffic from the other side into my lan.
> 
> So far I have traffic that is getting sent out my public connection to the 
> openvpn server, but nothing comes back according to `tcpdump -i extIF host 
> VPNGATEWAY`. Nothing shows up in the logs stating traffic has been blocked. 
> policy is set up to log on the final DROP and REJECT rules.
> 

Hi Thomas,

What you are describing sounds like a three interface setup.  There is a
HOWTO here:

http://shorewall.net/three-interface.htm

You will have local and net zones like in the HOWTO.  The main
difference is that instead of a DMZ zone you will have a VPN zone, which
it sounds like you want to treat sort of like a net zone (traffic is OK
to go from your local network to that zone, but not the other way
around).  It should be just a matter of ensuring you have forwarding (I
assume you do or you would have other problems), the right policy (loc
-> vpn == OK), and possibly masquerading (depending on the address
ranges involved).

Regards,

-Roberto

-- 
Roberto C. Sánchez
http://people.connexer.com/~roberto
http://www.connexer.com

Attachment: signature.asc
Description: Digital signature

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
Shorewall-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/shorewall-users

Reply via email to